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Abstract 

The task of privacy amplification, in which Alice holds some partially secret information with respect to an 
adversary Eve and wishes to distill it until it is completely secret, is known to be solvable almost optimally in 
both the classical and quantum worlds. Unfortunately, when considering an adversary who is limited only by 
non-signalling constraints such a statement cannot be made in general. We here consider systems which violate 
the chained Bell inequality and prove that under the natural assumptions of a time-ordered non-signalling 
system, which allow past subsystems to signal future subsystems (using the device's memory for example), 
super-polynomial privacy amplification by any hashing is impossible. This is of great relevance when considering 
practical device independent key distribution protocols which assume a super-quantum adversary. 



1 Introduction 

Device independent key distribution 

Key distribution is the task of creating a shared secret 
string, called the key, between two parties. In contrast 
to classical key distribution protocols, which base their 
security on the computational power of the adversary, 
quantum key distribution (QKD) protocols are resilient 
against quantum adversaries with unbounded compu- 
tational power. However, in order to apply traditional 
QKD security proofs, such as security proofs for the 
BB84 protocol [TJ, one should be able to fully charac- 
terise the devices on which the protocol is being ex- 
ecuted. Failing to do so can introduce security flaws 
which can be exploited by the adversary [2 . Unfortu- 
nately, giving a full characterisation of quantum devices 
is usually an impractical task. 

Due to this difficulty, in the past few years there 
has been a growing interest in device independent QKD 
(DIQKD). In DIQKD protocols [3J g] we assume that 
the system on which the protocol is being executed was 
made and given to the honest parties Alice and Bob by 
a malicious adversary Eve. We therefore ought to con- 
sider the system, which we know nothing about, as a 
black box, and the security proof cannot be based on 
the internal functioning of the device. 

How can this be done? As was first shown in [5] , se- 
curity proofs for DIQKD can be based on observed non- 
local correlations between Alice and Bob, i.e., on the 
correlations of the outputs they get from their systems. 
If the correlations they observe violate some Bell in- 
equality, such as the CHSH inequality [6 or other more 



general chained Bell inequities |S], and if Alice and 
Bob enforce a non-signalling condition between them in 
order to make sure that these correlations are indeed 
non-local, then they can be sure that some secrecy is 
available to them [S]. 

The first DIQKD protocol which was proven se- 
cure was a protocol by Barret, Hardy and Kent (BHK) 
[S] . Although this protocol cannot tolerate a reasonable 
amount of noise, it showed that the task of DIQKD is 
in principle possible. Moreover, the BHK protocol secu- 
rity proof applies not only against quantum adversaries, 
but also against non-signalling adversaries. 

When considering a non-signalling adversary the 
only thing which limits the adversary is the non- 
signalling principle. That is, the adversary has super- 
quantum power; however, if Alice and Bob enforce some 
local non-signalling constraints then these cannot be 
broken by the adversary. Such constraints can be en- 
forced by shielding and isolating the devices or by plac- 
ing them in a space-like separated way. For example, if 
Alice and Bob perform their measurements in a space- 
like separated way, then according to relativity theory, 
Alice cannot use her system in order to signal Bob and 
vice-versa. 

After the BHK protocol, several other DIQKD pro- 
tocols, such as |1Q[|11| . have been proven secure, but all 
using an impractical assumption; in order to guarantee 
security each subsystem used in the protocol must be 
isolated from all other subsystem, such that they cannot 
signal each other. For example, if Alice gets n systems 
from Eve, each producing one bit, she must isolate each 
of these systems, in order to make sure that no informa- 
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impossibility result of |13| was extended to an even more 
general case [13] . 

A more realistic assumption to consider is that in 
addition to the non-signalling assumption between Al- 
ice and Bob, within the system of the parties signalling 
is possible only from the past to the future and not the 
other way around. These are natural assumptions when 
considering a protocol in which Alice and Bob each use 
just one device with memory. In that case, the inputs 
and outputs of past measurements (which were saved 
in the memory of the device) can affect the outputs of 
future measurements. Such conditions, which we call 
time-ordered non-signalling conditions, are defined for- 
mally in Definition [21 

In contrast to the full non-signalling conditions, the 
time-ordered non-signalling conditions are easy to en- 
sure. Alice and Bob can both shield their entire system 
(as has to be done anyhow in order to make sure that no 
information leaks straight to the adversary) and there- 
fore signalling will be impossible between them. More- 
over, when running the protocol, they will perform their 
measurements in a sequential manner; the first system 
will be measured in the beginning, then the second one 
and so on. This will make sure (as long as we believe 
that messages cannot be sent from the future to the 
past) that signalling is possible only in the forward di- 
rection of time. In fact, these are the non-signalling con- 
ditions that one "gets for free" when performing an ex- 
periment of QKD. For example, an entanglement-based 
protocol in which Alice and Bob receive entangled pho- 
tons and measure them one after another using the same 
device will lead to the time-ordered non-signalling con- 
ditions. If Alice's and Bob's devices have memory then 
information from past measurements can be available 
for future measurements, i.e., signalling is possible from 
the past to the future but not the other way around. 

In this paper we ask the following question. Un- 
der the assumptions of time-ordered non-signalling sys- 
tem, is privacy amplification against non-signalling ad- 
versaries possible? We give an example for a system 
which fulfils all the time-ordered non-signalling condi- 
tions, and in which super-polynomial PA is impossible. 
More precisely, we prove that for protocols which are 
based on a violation of chained Bell inequalities, un- 
der the assumption of a time-ordered non-signalling sys- 
tem, super-polynomial PA is impossible by any hash- 
ing. That is, when using n black boxes, each producing 
a partially secret bit, the adversary can always get a 
great amount of information about the hashing result; 
at least as high as ft (~J. 

Although this proves that super-polynomial PA is 

1 If Alice's system can signal Eve's system then Alice's secret can leak to Eve completely. If Alice's system can signal Bob's system, 
then the correlations they observe are not necessarily non-local and could have been produced by a deterministic system. This implies 
that Eve can get all the information that Alice and Bob have as well. 

2 The hash function might also take a random seed of size m as an additional input; in that case / : {0, 1}™ X {0, 1}"" — > {0, 
3 In contrast to the QKD problem, when considering the PA problem the only goal of Bob is to establish non-local correlations with 
Alice. 



tion leaks from one system to another. Such an harsh 
constraint, which we call the full non-signalling con- 
straint, eliminates the possibility of devices with mem- 
ory. 

Recently a new protocol, which does not share this 
drawback, was proven secure [12] , The sole assumption 
about the non-signalling constraints of the system in 
this protocol is that Alice, Bob and Eve cannot signal 
each other using the system, which is a minimal require- 
ment from any cryptographic protocoQ. However, this 
protocol, like the BHK protocol, cannot tolerate any 
reasonable amount of noise. 



Privacy amplification 

In this paper we consider a simpler problem, called pri- 
vacy amplification (PA) . In the PA problem Alice holds 
some information which is only partially secret with re- 
spect to an adversary, Eve. Alice's goal is to distill her 
information, to a shorter string, which is completely (or 
almost completely) secret. Note that in the PA problem 
we only want Alice to have a secret key with respect to 
the adversary, while in QKD we also want Bob to hold 
the same key as Alice. Therefore PA is easier than QKD. 

In order to understand what exactly is the PA prob- 
lem, consider the following scenario. Assume that Alice 
has a system, a black box, which produces for her a 
partially secret bit or a string, X. By saying that X 
is partially secret we mean that there is some entropy 
in X conditioned on Eve's knowledge about X. One 
would hope that by letting Alice use several such sys- 
tems, which will produce several partially secret bits 
X\ , X2 . . • , X n , she will have enough entropy in order to 
produce a more secret bit or a string, K , out of them, 
or in other words, she will be able to amplify the pri- 
vacy of her key. The idea behind the PA protocols is to 
apply some hash functional / : {0, 1}" -> {0, (for 
\K\ < n) to Xi, A2...; X n in order to receive a shorter, 
but more secret, bit string K . The amount of secrecy is 
usually measured by the distance of the actual system 
of Alice and Eve from an ideal system, in which K is 
uniformly distributed and uncorrelated to Eve's system. 
This will be defined formally in the following section. 

Since QKD in the presence of a non-signalling ad- 
versary is possible if we assume that Alice's and Bob's 
systems fulfil the full non-signalling conditions [101 111] , 
PA is also possible in this setting. However, it was al- 
ready proven in |13) that PA is impossible if we impose 
non-signalling conditions only between Alice and BobH, 
i.e., Alice and Bob cannot signal each other, while sig- 
nalling within their systems is possible. Recently, the 
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impossible under these conditions, this is still a par- 
tial answer to our question for two reasons. First, there 
might still be some other system, in which the secrecy is 
based on a different Bell inequality, for which exponen- 
tial PA is possible. Second, in this paper we show that, 
independently of which hash function Alice is using, Eve 
can bias the key by at least fi (^)> but can we find a 
specific hash function for which she cannot do any bet- 
ter than this? That is, is this result tight? Therefore, 
the question of whether (linear) privacy amplification is 
at all possible remains open. 



This implies that It, can be made arbitrarily small for 
sufficiently large JVq 

In our proof we will assume that the systems violate 
the chained Bell inequality. This is of course not the 
only possible choice for QKD protocols, although it is 
the most common one. Moreover, note that since for 
these type of systems PA is impossible, we cannot treat 
in general any system which produces some secrecy as 
a black box and therefore PA in general is impossible. 



2 Preliminaries 

Chained Bell inequalities 

For two correlated random variables X, U we denote 
the conditional probability distribution of X given U 
by P x \u i x \ u ) — Pr(X — x\U = u). A bipartite sys- 
tem is defined by the joint input-output distribution 
Pxy\uVi where U and X are usually Alice's input and 
output respectively, while V and Y are Bob's input and 
output. When considering a tripartite system which in- 
cludes Eve, Pxyz\uvw, Eve's input and output are W 
and Z. 

Bell proved that entangled quantum states can dis- 
play non-local correlations under measurements |15| . 
We consider the following Bell-type experiments. Al- 
ice and Bob share a bipartite system Pxy\uv where 
U 6 {0,2,..., 2N -2} and V G {1, 3, 2N- 1}. We de- 
fine a set of allowed input paris for Alice and Bob to be 
G N = {(u,v)\u G U,v G V,|«-«| = 1}{J{(0,2N -1)}. 
For each measurement of Alice U, and each measure- 
ment of Bob V, there are two possible outcomes, or 
f. That is, X,Y £ {0, 1}. The relevant Bell inequality 
then reads |S] 



Non-signalling systems 



Denote Alice's and Bob's system by Pxy 



\uv- 



A min- 



imal requirement needed for any useful system is that 
Alice cannot signal to Bob using the system and vice 
versa, otherwise, the measured Bell violation will have 
no meaning. This can be ensured by placing Alice and 
Bob in space-like separated regions or by shielding their 
systems. 



Definition 1. (Non-signalling between Alice and Bob). 
A 2n-party conditional probability distribution Pxy\uv 
over X,Y,U,V G {0,1}™ does not allow for signalling 
from Alice to Bob if 



Vy,u,u',v 

^PxY\uv{x,y\u,v) = ^P X Y\uv{x,y\u' » 



I N = P {X = Y\U = 0, V = 2N - 1) + 

P(X^Y\U = u,V = v) > 1. 



u, v 
\u — v\ = 1 



This implies that correlations which satisfy In < 1 are 
non-local and cannot be described by shared random- 
ness of the parties. For N — 2 this inequality is the 
CHSH inequality [§]. 

For the maximally entangled state |3>+) = 
(| 00) + |11)), if Alice's measurements are in the ba- 

||0> +sinf|l),sinf|0) -cosf|l)} for 



V2 

sis {cosf |0) +sinf|l),sinf|0) -cosf|l)} for 6 = 
and Bob's measurements are in the same basis but for 
9 = IrK then the correlations they get satisfy 



I* N = 27Vsin 2 ^ < ^. 



AN 8N 



(2) 



and does not allow for signalling from Bob to Alice if 

Vx, v, v' , u 

^2PxY\uv(x,y\u,v) = ^P X Y\uv{x,y\u,v') . 



This definition implies that Bob (Alice) cannot infer 
from his (her) part of the system which input was given 
by Alice (Bob) . The marginal system each of them sees 
is the same for all inputs of the other party and therefore 
the system Pxy\uv cannot be used for signalling. 

In this paper we consider the conditions that we call 
time-ordered non-signalling conditions. 



4 However, as N gets larger it becomes difficult to close the detection loophole 1161 in the performed experiments, which is essential 
for any protocol that is based on non-local correlations. 
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Figure 1: Time-ordered non-signalling condition for 
i = 3. Signalling is impossible in the direction of the 
straight arrow. 

Definition 2. (Time-ordered non-signalling system). 
For any i <E {2,...,n} denote the set {1, — 1} by 
I\ and the set {i, n} by I2 and for i = 1 I± = <fi and 
I2 = [n]- A 2n-party conditional probability distribu- 
tion Pxy\uv over X, Y,U,V € {0, 1}™ is a time-ordered 
non-signalling system (does not allow for signalling from 
the future to the past) if for any i 6 [n] , 

Vx, y 7l , w, , vi 2 , v' l2 
^PxY\uv{x,yi 1 ,yi 2 \u,v h ,v l2 ) = 

Vl 2 

^2PxY\uv(x,yh,yi2\ u , v h, v/ i 2 ) ■ 
yi 2 

Figure Q] illustrates these conditions. Note that the 
conditions of Definition [1] follow from these conditions. 

Non-signalling adversaries 

When modelling a non-signalling adversary, the ques- 
tion in mind is as follows: given a system Pxy\uv 
shared by Alice and Bob, for which some arbitrary non- 
signalling conditions hold, which extensions to a sys- 
tem Pxyz\uvw-i including the adversary Eve, are pos- 
sible? The only principle which limits Eve is the non- 
signalling principle, which means that for any of her 
measurements u>, the conditional system Pxy\u~v 1 ^ or 
any z £ Z, must fulfil all of the non-signalling condi- 
tions that Pxy\uv fulfils, and in addition Pxy z\uvw 
cannot allow signalling between Alice and Bob together 
and Eve. 



We adopt here the model given in [101 ITS! [T7] of 
non-signalling adversaries. Because Eve cannot signal 
to Alice and Bob (even together) by her choice of input, 
we must have, for all x, y, u, v, w, w' ', 

^2PxYZ\uvw(x,y,z\u,v,w) = 

Z 

^2PxYZ\UVw( x ,y, z \ u ,V,w') 

PxY\uv(x,y\u,v). 

We can therefore see Eve's input as a choice of a convex 
decomposition of Alice's and Bob's system and her out- 
put as indicating one part of this decomposition. For- 
mally, we can define every strategy of Eve as a partition 
of Alice's and Bob's system in the following way. 

Definition 3. (Partition of the system). A partition 
of a given multipartite system Pxy\uVi which fulfils a 
certain set of non-signalling conditions C, is a family of 
pairs (p z ,P^ Yluv ), where: 

1. p z is a classical distribution (i.e. for all z p z > 
and J2p z = 1). 

z 

2. For all z, P X y\uv ^ s a system that fulfils C. 
3- Pxy\uv = J2p z Pxy\uv . 

z 

In our scenario the goal of the adversary is to gain in- 
formation about f(X), for some functiorO/ : {0,1}" -)• 
{0, 1}. Note that since the adversarial strategy can 
be chosen after all public communication between Al- 
ice and Bob is done any additional random seed cannot 
help Alice and Bob. Therefore it is enough to consider 
deterministic functions in this case. 

In order to quantify how good a strategy w is, i.e., 
how much information Eve gains about f(X) by using 
w, we use the variational distance between the real sys- 
tem and the ideal system, in which f(X) is uniformly 
distributed and independent of the adversary's system. 

Lemma 4. (Lemma 3.7 in J 17}/). For the case K — 
f(X), where f : {0,1}" -> {0,1}, U = u, V = v, 
and where the strategy w is defined by the partition 

{(p z ,P XY \uv)} {0 1} such that Pr i K = °\ Z = °]>h 
the distance from uniform of f(X) given the strategy w 
is 

d(K\Z(w)) = 

p z=a ■ (Pt[K = 0\Z = 0] - Pr[K = 1\Z = 0]) 

- - (Pi[K = 0] -Pr[iT =1]). 



5 It is enough to consider the case where Alice wants to create just one secret bit. An impossibility result for one bit implies an 
impossibility result for several bits. 
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3 Main result 

In order to show an impossibility result we give a con- 
crete adversarial strategy against any almost balanced 
hash functions. Eve will create a time-ordered non- 
signalling system between Alice, Bob and herself, such 
that when she inputs the hash function / which was 
chosen by Alice on her side of the system, the output 
will be a guess at f(x). We prove that this guess is cor- 
rect with probability of at least h + ^ , where c is some 
constant and n is the number of systems shared by Al- 
ice and Bob. Against functions which are not almost 
balanced Eve can just use a trivial strategy and guess 
the value of the function without using her part of the 
system at all. 

As noted before, in order to prove an impossibil- 
ity result it is enough to prove it for a specific system. 
We assume that when the adversary is not present, Al- 
ice and Bob share n independent maximally entangled 
states and perform the measurements which achieve the 
violation of Equation {5J . We denote the system of each 
entangled pair by PxiY^UiVi f° r * £ l n ] an d the whole 
system by P X y\uv = W PxtY^UiVv 

Let / : {0, 1}™ — !• {0, 1} be an almost balanced func- 
tion. Showing a strategy is giving a partition of Alice's 
and Bob's system, as in Definition [3] Our partition will 
have 2 parts, P X y\uv anc ^ ^xy\uv> eacn occurring with 



probability ^ and Pxyyuv 
our partition P2 



1 p0 

1 r XY\UV 



i P 1 Tn 

2 r XY\UV 111 

XY\uv ^ S biased towards f(x) = and 
P XY \uv towards f(x) = 1. That is., if Eve gets an 
outcome of z = (1) when measuring her part of the 
system she knows that Alice's output x is more likely 
to be a preimage of (1) according to /. 

In this section we explain the idea and the intuition 
behind the adversarial strategy and the main princi- 
ples of the proof. For the formal proof and technical 
details please see Appendix [Cj We start by describing 
how Eve can bias the system towards f(x) — 0, i.e., 
what is P X y\uv 

Assume for the moment that for some given prefix 
of x, Xi...i—i, and function / we have 



Pr 

i+i... 



[/ {xi...i-i0xi 



Pr 

Xi+l... 



= o] > 

[/ (a:i...i-ila;»+i...n) = 0] 



This implies that, for this specific prefix x\...i-i, if Eve 
can guess the i'th bit x% then she can also guess the out- 
put bit of /. Therefor Eve can definitely benefit from 
biasing the i'th bit towards 0. 

Can the i'th subsystem be biased without changing 
the correlations Alice and Bob observe? The following 
lemma answers this question. 



Lemma 5. For any i € [n], the system PxiYAUiVn f or 
which In \PxiYi\UiVi) = ^n> can ^ e biased towards (or 



1) by C {P N ) = ^. 

We denote the biased system by P 



XiYi\U z Vi 



for a E 



{0, 1}. The biased system is given in Appendix [A"l 

Therefore, in our adversarial strategy, if the value 
of the i'th bit Xi, given the prefix x\,,,i-i, has enough 
influence over the outcome of / (we will soon define how 
much is enough), although the suffix is unknown, then 
the i'th system is being biased by c(I^). Note that for 
any prefix x\,,,i-\ a different system PxiYAUiVi should 
be biased. 

Next we say how Eve determines which subsystem 
PxiYi\UiVi to bias for every x. For every function /, 
index i G [n] and prefix 2:1. define 



Ai(xi 



Pr 

Xi+l... 

Pr 

Xi + l... 



[}{xi..,i-i^x l+1 ... n ) = 0] 



[f(xx...i-ilxi + x... n ) = 0] 



Ai(xi...i—i) quantifies how much influence the i'th bit 
has over / given the prefix For every x, Eve 

will bias the subsystem with the pivotal index, as we 
now define. 

Definition 6. (Pivotal indes0). Given / : {0,1}" -> 
{0,1}, for any x, the pivotal index i{x) £ [n] is the 
smallest index such that Au x \(x\...i-i) > gfr- 

Consider for example the function presented in Fig- 
ure [5J The pivotal indices are marked in the binary tree 
of the function by a circle. For strings x with prefix 
xi = the pivotal index is i{x) = 2, while for strings 
with prefixes X1X2 = 10 and x\X2 — 11 the pivotal index 
is i(x) = 3. 




Figure 2: Binary tree with pivotal nodes. The pivotal 
nodes are marked with circles. 



Luckily, for every function / : {0, l} r 



{0,1} 



for which \Pr[f{x) = 0] - Pr[/(ac) = 1] | < | and ev- 



6 Note that the influence towards f(x) = and f(x) = 1 is the same. 

7 The terms 'pivotal' and 'influence' are taken from the field of Boolean function analysis. 
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ery x S {0,1}™ there exists such a pivotal index i[x) 
for which Ai^(xi,,,i—i) > and therefore for ev- 
ery x there exists some bit, xu x )i which can give non- 
negligible information to Eve about the final output. 

Lemma 7. Let f : {0, 1}™ — > {0, 1} be an almost bal- 
anced function, i.e. |Pr [f(x) = 0] — Pr \f(x) = 1] | < i. 

XX J 

Then for any x there exists a pivotal index i{x) such 
that Ai( x )(xi...i-i) > ^j. 

Lemma [7] is proven in Appendix [B] Putting ev- 
erything together, Eve's strategy is as follows. For 
every x the i(a;)'th subsystem, where i(x) is the 
pivotal index of x, is biased. It is biased by 
c(Itr) towards if Pr [/(a;i...i_i0x i+ i... n ) = 0] > 

Xi+1...„ 

Pr [f(xi i_ilxj +1 „) = 0] and towards 1 other- 

Xi+l...n 

wise. The system P X y\uv wrnc h results from such a 
strategy is given in Equation f3]) in Appendix [Cj 

The strategy for biasing the system towards f{x) — 
1 is symmetric to the strategy we described for f{x) = 0. 
The only difference is that Eve will bias the i'th system 
by c(I* N ) towards if Pr [/(a:i...j-i0a: i+1 ... n ) = 0] < 

Pr [f{x\ i-\\xi + i n ) = 0] and towards 1 other- 

Xi+l...n 

wise, and not the other way around. The fact that these 
two symmetric systems put together a legal partition, 
as in Definition [3j is proven in Appendix [Cj 

Since Eve biases a different subsystem 
Px , sY( \\u-, >v-< f° r every x, it is not clear that the 

z{x)\ i i. x ) 

system Pxy\uv l& mdeed time-ordered non-signalling. 
The key idea for proving such a thing is that for every 
x, the location of the pivotal index i(x) depends only 
on the prefix of x until this index exactly. Intuitively, 
in our case this corresponds to the fact that signalling 
is possible from past measurements to future measure- 
ments, or in other words, the fact that in any given time 
the prefix of x can be saved in Alice's device. This is 
proven formally in Appendix [Cl 

How much information does this strategy give Eve? 
For every x the i(x)'th subsystem is biased by c(-Z^). 
However, the advantage Eve gets from this shift in the 
probabilities is only c(I^) ■ A i ^ x ){xi,_i^i) since the piv- 
otal bit does not determine f(x) exactlj[j§ Moreover, 
since P X y\uv an< ^ ^xy\uv are symmetric and both oc- 
cur with the same probability \ they both contribute 
the same amount of knowledge to Eve. 

As mentioned before, for any function for which 



IPr \f(x) = 0] - Pr [fix) = 1] I > i Eve can just guess 

XX ^ 

the value of the function with a constant success proba- 
bility of at least | . Therefore these kind of functions do 
not bother us. Altogether we get the following theorem. 

Theorem 8. There exists a time-ordered non- signalling 
system Pxy\uv as * n Definition^ such that for any hash 
function f : {0,1}" — > {0,1} there exists a strategy w, 
for which the distance from uniform of f(x) given w is at 
least c(I* N ) ■ i.e., d(f(x)\Z(w)) > c(I* N ) ■ £ 6 f?(±) 

where In(Pxy\uv) = In and c (-0v) = 5^0 

Proof. If / : {0,1}™ — > {0,1} is an almost balanced 
function as in Lemma[7]then w is the strategy described 
above, for which d (f(x)\Z(w)) > c(I^) ■ Otherwise, 
the strategy is to guess f(x). For this trivial strategy 
we have d(f(x)\Z(w)) > § - | > c(I N ) ■ □ 

Concluding remarks and open questions 

In this paper we showed that when considering systems 
which can signal only forward in time and non-signalling 
adversaries, then super-polynomial privacy amplifica- 
tion by any hash function is impossible. For protocols 
which are based on the violation of the chained Bell in- 
equalities, we presented a specific adversarial strategy 
which uses the memory of the device in order to gain 
information about the value of the function. 

It is not yet clear whether our result is tight. We 
showed that, independently of which hash function Al- 
ice is using, Eve can bias the key by at least fi . For 
some bad choices of hash functions Eve can get even 
more information than f2 (— ) by using the same strat- 
egy. For example, if the chosen hash function is the 
XOR, then by using the exact same strategy, but with 
a different analysis, Eve can bias the final key bit by a 
constant. When using the Majority function this strat- 
egy can only give her £1 ^ as - ^ s ^ n ^ s ^ ne ^ es * 
Eve can do? Can we find a specific hash function for 
which she cannot do any better than this? The question 
whether linear privacy amplification is possible or not 
therefore remains open. 

Acknowledgments: Rotem Arnon-Friedman thanks 
Roger Colbeck for helpful comments. Both authors ac- 
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QCS. 



8 When we shift some probability 7r around from a cell which has probability pi to result in f(x) = (over the suffix) to a cell which 
has probability p2 to result in f(x) = the advantage we get from shifting tt is it ■ (p2 — pi). In our case, p2 — pi is exactly zA;^) (xx,..i— i) 
in our case. 

9 Remember that n is the number of systems while N is the number of possible measurements for each system. For any given protocol 
TV is constant and therefore so also is It T . 
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Appendices 

A Proof of Lemma [5] 

We now prove the following lemma: 

Lemma. For any i G [n], the system PxiYAUiVii f or which In (PxiYAUiVi) = Ph> can be biased towards (or 1) by 

Proof. In order to prove this we define the system Px^Y-m-v which is biased towards by c(I N ). We do so by 
shifting probabilities around in the original unbiased system PxiYAUiVi- The original system PxiYAUiVii as in 
Figure El describes the measurements statistics of the maximally entangled state $+) = ( 1 00) + |11)) in the 

basis {cos||0) + sinf |1), sinfjO) -cos||l)}, where for Alice 9 — ^ , U G {0, 2, ...2N - 2} and for Bob 6 = g£ , 
L • ]1.3....2.\ 1] . 

In order to bias this system towards we shift probabilities within each individual square in the figure, such 
that each square will be biased toward by sin 2 (jjy). We do so by shifting in every row probability of \ sin 2 (4^) 
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out from the cell with Xi — 1 and into the cell with Xi — 0, as indicated in Figure 2J Each square corresponds to 
a different measurement made by Alice and Bob, and therefore for every measurement the bias is the same and 
equivalent to c(I N ) = jjy ' In- 

Note that by shifting probabilities in this way we do not change the correlations of the system, i.e. , In (j 3 x-Y > \ u V ) 

T* 

1 N- _ 

The system Px~y\u v ' wmc h is biased towards 1, is symmetric. That is, we shift the same amount of probability 
but in the opposite direction (from xi = to x, — 1). This also implies that \Px~y\u v h^X-Y \U V ~ ^XiY^UiVi- 



B Proof of Lemma [7] 



For convenience we rewrite Lemma [7] here again. 

Lemma. Let f : {0, 1}" — > {0, 1} be an almost balanced function for which |Pr [f(x) = 0] — Pr [f(x) = 1] | < |. 



Then for any x there exists a pivotal index i(x) such that A^ x ) > where 



Ai(xi...i-i) 



Pr [/(afi...i-iOa;i + i... n ) = 0] - Pr [/(^i...i_ila; i+ i, 



0] 



Proof. Let 7r (xi„.i_i) = Pr [f(x) = 0] where it7l and note the following properties: 

x i...n 

7r°(a:i.„^i) = \ [ 7 r (x 1 ... i _ 1 Q) + ttVi.—iI)] 

7T°(xi... n ) G {0,1}. 

Assume w.l.o.g 7r°(xi. „) = (the proof is symmetric for the case 7r°(xi...„) = 1). 

Let max\ir°(xi j) — ir°(xi < C- This implies the following: 

ie[n] 



< 



n°(4,)-ir°(x 1 ... n ) 



<n-( 



and therefore C > I- e -> there exists j £ [n] such that |7r — 7r°(^i...j-i)| > ^ and since we assumed 

7r °(^i...n) =0we can farther write ir a (xi,„j-i) > tt°(xi„j) + Moreover, since 

^(aJi...,--!) = 5[7r fl (a; 1 ... J -_i0) + 7r (a;i„. i _ 1 l)] 

= 2 [^(^I-j-i^j) + 1"°( a; 1...3-X»7)] 
we get that n°(xi...j-iXj) > 7T°(xi...j-iXj) + ^ and therefore for any x there exists an index i(x) — j for which 

A{x)(xi... 



> 



3n ' 



□ 



C Formal definition of the strategy 

As explained in the main text, Eve's strategy is to use a partition | , Pxy\uv) } ^ j ^ or wmcn Pxy\uv = 
\Pxy\uv f^xy|(7V ^e systems -P^rii/v ancl -Px-yli/v are obtained by biasing one individual subsystem 
Pxn^Yn^Ui^Vi^) f° r each x. For any i S [n] let y an< ^ ^x*Y'-|i7-v- ^ e biased systems as defined 

in Appendix [AJ The system P X y\uv IS then formally defined by 

i(x)-l 

PxY\Uvi x M u , v ) = II PxjY^UiViiXjiyMhVj) ■ P X^Y Hx) \U Hx) V Hx) ( X i(^>yi^)\ U i^Hx))' 

n 

II /'a v, | c/, y 3 , Vj \uj,Vj) (3) 

j'=i(x)+l 
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Figure 3: The unbiased system PxiY^UiVi f° r which Jjy — 2iVsin 2 ^. The empty squares in the figure are not 
relevant for the correlations and therefore are not considered in cryptographic protocols. 
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Figure 4: The biased system -P^.y -m-Vi' Here are the same squares of Figure [3] after the probability shift. 
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where i(x) is the pivotal index of x as in Definition [5] and 

Pr [f(xi.. A -iOx i+1 ... n ) = 0] > Pr [f{x 1 ... l - 1 lx l+1 ... n ) = 0] 

Xi+l...n B»+l...n 

1 otherwise 

That is, if f(x) is more likely to result in f(x) — if x^ = then Eve biases the i(x)'th system towards 
and if not then towards 1. Note that since Eve manipulates the i(x)'th system only if Ai(^ j {xx...i-\) > ^7 
Pr [f(xi...i-iOxi+i...n) = 0] never equals Pr [f{xi.. A ^ilx t+1 ... n ) = 0]. 

Xi+1...„ Z<+1— » 

The complementary system P XY \uv ' l& defined in the exact same way but with a instead of a . 

In order to prove the legality of the strategy we first prove that P XY \uv ^ s a probability distribution. 

Lemma. The system P XY \uv * s a probability distribution. That is, 

1. For all x,y,u,v P X Y^jjy(x,y\u,v ) > 

2. The system is normalized. For all U,V, ^P X y\uv ( x > y\ u ' v ) = ^ 

x,y 

Proof. Each of the multiplicands in Equation §3§ is non-negative and therefore for all x, y, u, v it also holds that 
P X y, uv (x,y\u,v) > 0. Farther more, since 

P X i(x) Y i ^ ) \U iM V i ^ ) ( x i{x)i Vi{x)Wi(x), Ui(o,)) + ^X i(x) Y, (x) |t/, (x) V i(x) \ X i{x)i yi{x)\ u i{x)i v i(x)) = 

P X Kv) Y Ka) I U Kx) V iW ( x i(x) , Vi{x) \Ui(x) , Vi( x ) ) + Px i(x) Y iM I C/ i(aJ , V i(aj) (Xi(x) , Vi(x) K(a;) , ) (4) 

(cf. Figure^]) we also have 

PxY\uv{ x >y\ u ' v ) + p XY\uvi x%{x] \y\ u , v ) = p xY\uv(x,y\u,v) + PxY\uv{x l{x) ,y\u,v) 
where x ltyX ^ is the string x with the i(x)'t\i bit flipped, \.e.,x 1 ^ = x\...Xi^—{x^\x^>, + i...x n . This implies that 

^2 p XY\uv{ x >y\ u > v ) = ^2 p xY\uv(x,y\u,v) = 1 . 

x,y x,y 

□ 

The same proof holds for P XY \uv as wen - The fact that P XY \uv ano - P xy\uv are probability distributions is 
not enough. We also need to prove that they are complementary systems, i.e., P X y\uv — \Pxy\uv + k P XY\uv 

Lemma. P XY \uv = \ p xy\uv + 1 P xy\uv 

Proof. For simplicity we drop the subscript XY\UV from all the systems. For example P(x, y\u, v) should be under- 
stood as P XY \uv {x,y\u,v) while P z -= a {x l(x) , y i{x) \u i{x) , v i(x) ) should be understood as P x ^ )YtM \u tM vj w ( x i{x) > Vi(x) \ u i(x) , v i{x )). 



2P(x,y\u,v) - P°(x,y\u,v) = 2Y[P{x j ,y j \u J ,v J ) - P°(x,y\u,v) 

n 

= II p ( x ^yj\ u j> v j) ■ [ 2P ( x i(x),yi(x)\ui(x),Vi( x )) - P Zt= °(xi {x ),yi( x )\u i{x] ,v l{x) )] 

i = i 

j ^ i(x) 

n 

= J| p i. x hVi\ u ^ v j) ' P Zz=a {xi(x),yi(x)\ui( x ),Vi( x )) 

3 = 1 
j ^ i(x) 

= P 1 (x,y\u,v). □ 
We have only left to show that the system P XY \uv * s a time-ordered non-signalling system. 
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Lemma. The system P X y\uv * s time- ordered non-signalling as in Definition^ 

Proof. For the conditions on Bob's side of the system we first note the following. In the system Pp~ a v ... v 
we shift probabilities only within the same row. Moreover, we shift the probability in the exact same way on 
identical rows (cf. Figure |U the first row in the upper boxes is identical to the second row in the lower boxes). It 
then follows from Lemmas 4.4, 4.5 and 4.6 in [14] that full non-signalling conditions hold for Bob's side (i.e., every 
subset of his systems cannot signal any other subset of systems). In particular, the time-ordered non-signalling 
conditions hold. 

For simplicity we drop the subscript XY\UV from all the systems as in the previous proof. We now want to 
prove that the conditions on Alice's side hold, i.e., that for any sets I\, I-x as in Definition [2] 

\/xi 1 ,y,u Il ,u l2 ,u' h ,v 22P°(xi 1 ,xi 2 ,y\u Il ,ui 2 ,v) = ^2P (x Il ,x l2 ,y\u Il ,u / h ,v). (5) 

For any xi 1 there are two possible cases, as indicated in Figure [SJ the pivotal index i(x) is either in I\ or in 1^. We 
show that on both cases the time-ordered non-signalling conditions on Alice's side hold. 
First assume that for the pivotal index i(x) G I\. For any u, u' and u, for any x let 

{x~J Uj ^ v/j A Vj = 2N - 1 
Xj otherwise 

and ' n . Furthermore, note that for the unbiased system Pxy\uv we have Pxy\uv i x i uW i v ) = 

Pxy\uv( x ' i y\ u , v )- Since i(x) G I\ we have 

i(x) — l n 

P°(x Il ,xi 2 ,y\u Il ,u l2 ,v) = \\ Pixj^^u^Vj) ■ P z ' =a (x i{x) ,y i{x) \u i{x) ,v i{x) ) ■ P(x j ,y j \u' j ,V j ) 

j=i j=i( x )+i 

i{x)— 1 n 

= ]J P(xj,yj\uj,Vj) ■ P z ' =,7 (x i(x ),yi( x )\u i(x ),v i{x) ) ■ Y[ p { x 'j>yj\ u j> v j) 

j=l j=i(x) + l 

= P°(x Il ,x' l2 ,y\u Il ,u l2 ,v) 
and therefore Equation (|S|) holds as well. 



i(x) 



i(x) e h 



i(x) e h 



i{x) 



h 



Figure 5: Two possible cases: i(x) G 1\ or i(x) G I2 
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For the second case, assume that i{x) ^ 1%. yxi 1 ,y,uj 1 ,ui 21 u / l2 ,v, denote by u' = u^u'^. Then 



Y p °( x h , x h ,y\ui i: u h , v) 

x l2 



i(x) — l n 

= II p ( x i>Vi\ u j> v j) ■ pZi=a { x i(x),Vi(x)\u'i( x ),Vi( x )) ■ Yl p ( x iiyj\ u ' 3' v j) 

x l2 j=l j=i(x) + l 

i(x)~l 

= J2 n p ^ x j^j\ u 'v v j) ■ 

■ \p^ =a (x l{x) ,y i{x) \u' l{x) ,v i{x) ) + P z * =a {x-(^),y i{x) \u iix) ,v iix) ) 

n 

■ II p ( x ^yj\ u ' h v j) 

j'=i(x)+l 

i{x)-l 

Y II p ( x J>yi\ u 'j> v j) ■ 

^I 2 /i(x) j=l 



[P(%i(x) , Vi{x) Wi(x) , Vi(x)) + P(?i(x) , Vi(x) \u'i(x) > V *(x)) 



■ n p ( x ^yj\ u 'j' v j) 

j=i(x) + l 
n 

x, 2 j=l 

= 5Z-P(«/i,a;/2)yl u /u u z 3 )«) 

x, 2 

where the third equality is due to Equation (|4]). Now since the unbiased system P fulfils all non-signalling conditions, 
and in particular it is also time-ordered non-signalling, we have Y)P(xi, , xj 2 , y\ui t , u\ 2 , v) = Y)P(xj^ , xj 2 , y\ui 1 , ui 2 , v). 

Adding everything together we get 

22P (xi 1 ,xi 2 ,y\u h ,u' l2 ,v) = 22P(xi 1> xj 2 ,y\ui 1 ,u' Ia ,v) 

= Y* p ( Xii>Xi * ,y \ Uii ' Uia,v ') 

xi 2 

= Y p0 ( xi i> xi ^y\ ui i' ui 2' v ^ ■ 



Therefor for both cases Equation ([5]) holds and the system P XY \uv ^ s time-ordered non-signalling. 
The same proof holds for Pxy\uv as we ^- 



□ 
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